Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center."— Presentation transcript:

1 What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center

2 Java PathFinder void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Java Code JAVACJVM 0: iconst_0 1: istore_2 2: goto#39 5: getstatic 8: aload_0 9: iload_2 10: aaload Bytecode Special JVM Model Checker

3 Counterexamples When the model checker finds a bug, it reports a counterexample. However, even an exact trace of the program failing is not what we really want for most bugs.

4 Counterexamples How can we get more information from a counterexample? –Perhaps if we had some successful runs to compare to, or other failing runs in which to look for common elements… A common way of debugging by hand Except we can automate it using the model checker

5 Counterexamples The Error

6 Counterexamples “The Error” Real cause

7 Counterexamples “The Error” Real cause Idea: generate other traces that can give you more information about what is going wrong. How?

8 Positives and Negatives Real cause assert (x < 5); (and x = 8) “The Error”

9 Positives and Negatives “The Error” Real cause Same location, same error: NEGATIVE (-) Real cause assert (x < 5); (and x = 10) An Error assert (x < 5); (and x = 8)

10 Positives and Negatives Real cause Same control flow location, no error condition: POSITIVE (+) Same location, same error: NEGATIVE (-) Real cause assert (x < 5); (and x = 3) assert (x < 5); (and x = 10) “The Error”An Error assert (x < 5); (and x = 8) No Error

11 The Basic Search “The Error” Real cause

12 The Basic Search Real cause

13 The Basic Search Real cause

14 The Basic Search Real cause

15 The Basic Search Real cause

16 The Basic Search Real cause

17 The Basic Search Real cause

18 The Basic Search

19

20

21

22 The Search in Detail “The Error” Real cause Depth limit PositivesNegatives

23 The Search “The Error” Real cause Depth limit Already visited PositivesNegatives

24 The Search “The Error” Real cause Depth limit PositivesNegatives

25 The Search “The Error” Real cause Depth limit PositivesNegatives “push-through”

26 The Search “The Error” Real cause Depth limit Already visited PositivesNegatives

27 After the Search “The Error” Real cause Positives that are prefixes of some negative are removed While negatives are a true subset of complete negatives, positives are an approximation based on observed behavior This can be useful: in some reactive systems, every trace can be extended into an error trace

28 Analysis of the Traces Now what do we do with these? Report on code that appears – only in positives/negatives – in all positives/negatives – only and all positives/negatives (causal) Transform positives into negatives Find difference in invariants across positives and negatives PositivesNegatives

29 Analysis by Code Lines For our example trace, the line(s) in the real cause will be: –in all negative traces and –only appear in negative traces –thus will be identified as genuine cause Includes which thread executed the code and any nondeterministic choices made Can custom define equivalences to allow for looser definition of “the same code” “The Error” Real cause Automatically identified

30 Common Ground “The Error” Real cause (Can set a minimum shared prefix or suffix size) Shared prefix Shared suffix (control flow only) Transformation “How to make it break”

31 Transformation Analysis Sorted so that minimal way to break (transformation from each positive to nearest negative) is identified Rerun code line analysis over transformation code only (very useful in some cases) Can identify type of error: –If any positive can be transformed into a negative by only altering thread scheduling, the error is essentially concurrency based

32 Invariant Differences Pick certain control locations at which to observe data values in our traces Run a dynamic invariant detection algorithm to compute invariants across these locations for all negatives and then all positives Compare the discovered invariants

33 A Stack Example public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; }

34 A Stack Example public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; } A simple stack with an interface that initializes the stack to a random maximum size then randomly pushes and pops data.

35 A Stack Example public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; } A simple stack with an interface that initializes the stack to a random maximum size then randomly pushes and pops data. ORIGINAL COUNTEREXAMPLE: Stack overflow for stack size 1 (array out of bounds on stack)

36 A Stack Example public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; } A simple stack with an interface that initializes the stack to a random maximum size then randomly pushes and pops data. ORIGINAL COUNTEREXAMPLE: Stack overflow for stack size 1 (array out of bounds on stack) Run analysis with a search depth of 50 and compute invariants.

37 A Stack Example Code line analysis Code in the push method appears in all negatives. public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; }

38 A Stack Example Invariant analysis For positives, on entry to the push method, this invariant holds: stack.length > top For negatives, however the invariant is: stack.length >= top public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; }

39 A Stack Example Transformations from positive to negative Change stack size from 3 to 1 … Change stack size from 4 to 2 Insert a push … Remove a pop … public IntStack (int s) { stack = new int[s]; top = 0; } public void push (int i) { stack[top++] = i; } public int pop () { top--; return stack[top]; }

40 DEOS Error Analysis DEOS –Real time operating system –Allows threads to be created and deleted –Has time budgets for various threads

41 DEOS Error Analysis DEOS –Real time operating system –Allows threads to be created and deleted –Has time budgets for various threads Original counterexample –Assertion about the time budget of a thread fails

42 DEOS Error Analysis DEOS –Real time operating system –Allows threads to be created and deleted –Has time budgets for various threads Original counterexample –Assertion about the time budget of a thread fails Run analysis with size limit of 10

43 DEOS Error Analysis Transformations Change a wait until next period into a thread deletion Insert an interrupt and system clock ticks (before a deletion already in the positive) Change a wait until next period into an interrupt and system clock ticks and afterwards a deletion … The DEOS error requires deletion (which appears in the set of code found in all negatives) but also relies upon specific timing, as indicated by the transformations.

44 Related Work “Fate and Free Will in Error Traces” (TACAS 02) SLAM group independently investigated very similar concepts this summer (submitted to POPL) –Approach quite similar in spirit, lacks invariants and transformation approaches, but has some niceties with respect to source code analysis Andreas Zeller: work on isolating error-causing thread schedules and cause-effect chains

45 Future Work More efficient algorithms for generation of the traces (try bounded model checking) Different approaches to analysis: –Generation of automata –Characterization of error classes –Checking of causality…

Download ppt "What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center."

Similar presentations

CS2006 - Data Structures I Chapter 6 Stacks I 2 Topics ADT Stack Stack Operations Using ADT Stack Line editor Bracket checking Special-Palindromes Implementation.

CS Data Structures I Chapter 6 Stacks I 2 Topics ADT Stack Stack Operations Using ADT Stack Line editor Bracket checking Special-Palindromes Implementation.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION DEBUGGING Autumn 2011 Bug-Date: Sept 9, 1947.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION DEBUGGING Autumn 2011 Bug-Date: Sept 9, 1947.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Stacks, Queues, and Deques. 2 A stack is a last in, first out (LIFO) data structure Items are removed from a stack in the reverse order from the way they.

Stacks, Queues, and Deques. 2 A stack is a last in, first out (LIFO) data structure Items are removed from a stack in the reverse order from the way they.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
Introduction to Computability Theory

Introduction to Computability Theory
© 2006 Pearson Addison-Wesley. All rights reserved7A-1 Chapter 7 Stacks.

© 2006 Pearson Addison-Wesley. All rights reserved7A-1 Chapter 7 Stacks.
Part-B1 Stacks. Stacks2 Abstract Data Types (ADTs) An abstract data type (ADT) is an abstraction of a data structure An ADT specifies: Data stored Operations.

Part-B1 Stacks. Stacks2 Abstract Data Types (ADTs) An abstract data type (ADT) is an abstraction of a data structure An ADT specifies: Data stored Operations.
Part-B1 Stacks. Stacks2 Abstract Data Types (ADTs) An abstract data type (ADT) is an abstraction of a data structure An ADT specifies: Data stored Operations.

Part-B1 Stacks. Stacks2 Abstract Data Types (ADTs) An abstract data type (ADT) is an abstraction of a data structure An ADT specifies: Data stored Operations.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Stacks, Queues, and Deques

Stacks, Queues, and Deques

Similar presentations

Ads by Google